`yarn npm audit fix`

Yarn plugin to fix npm audit issues.

Currently, the plugin searches for all descriptors in your dependency tree matching the module name and vulnerable versions of an audit advisory, and checks if new versions are available from the registry that will both satisfy the patched version range from the advisory AND the descriptor's requested version range. If so, it'll update the resolution to the new version.

I plan to add some additional strategies in the future:

Walk up the tree from vulnerable packages to see if upgrading a parent package will resolve the advisory
If updating a package that's a direct dependency via a project manifest, update the manifest to declare the new version
Add a --force flag that will apply semver-compatible resolutions even if they're not in the descriptor's requested range

Installation

For Yarn v3:

yarn plugin import 'https://raw.githubusercontent.com/sargunv/yarn-plugin-npm-audit-fix/yarn-v3/bundles/%40yarnpkg/plugin-npm-audit-fix.js'

Usage

To attempt to fix all advisories:

yarn npm audit fix --all --recursive --mode=update-lockfile

The command takes all the same flags as yarn npm audit, and also --mode from yarn install.

Name		Name	Last commit message	Last commit date
Latest commit History 20 Commits
.github/workflows		.github/workflows
.vscode		.vscode
.yarn		.yarn
bundles/@yarnpkg		bundles/@yarnpkg
sources		sources
test/fixtures/project1		test/fixtures/project1
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
.gitignore-sync		.gitignore-sync
.node-version		.node-version
.prettierignore		.prettierignore
.yarnrc.yml		.yarnrc.yml
LICENSE		LICENSE
README.md		README.md
package.json		package.json
tsconfig.json		tsconfig.json
yarn.lock		yarn.lock

License

sargunv/yarn-plugin-npm-audit-fix

Folders and files

Latest commit

History

Repository files navigation

yarn npm audit fix

Installation

Usage

About

Topics

Resources

License

Stars

Watchers

Forks

Languages

`yarn npm audit fix`